what is Qualitative and Quantitative risk

Nithya Devi
Tera Contributor

‎03-21-2024 07:48 PM

Can anyone say,what is Qualitive and Quantitive risk in servicenow GRC?

0 Helpfuls
  • 2,508 Views
7 REPLIES 7

Simon Hendery
Mega Patron
Mega Patron

‎03-21-2024 10:01 PM

Hi @Nithya Devi - Risks, in themselves, aren’t qualitative or quantitative, but when you assess/evaluate a risk, you use method(s) that are either qualitative or quantitative.

 

How that works is: qualitative risk analysis is based on a person’s perception or judgment, while quantitative risk analysis is based on verified and specific data.

 

That’s a very general explanation. If there’s something specific you would like to know about how qualitative or quantitative risk assessments are applied within ServiceNow GRC, don’t hesitate to hit reply!

Nithya Devi
Tera Contributor
In response to Simon Hendery

‎03-24-2024 06:17 AM

@simon.Thanks for the explanation.

0 Helpfuls

AndersBGS
Tera Patron
Tera Patron

‎03-21-2024 11:42 PM

Hi @Nithya Devi ,

 

Sure, Quantitative is measurable where qualitative  is a persons judgement (not measurable). 

 

If my answer has helped with your question, please mark my answer as accepted solution and give a thumb up.

 

best regards

Anders

If my answer has helped with your question, please mark my answer as the accepted solution and give a thumbs up.

Best regards
Anders

Rising star 2024
MVP 2025
linkedIn: https://www.linkedin.com/in/andersskovbjerg/

Community Alums
Not applicable

‎03-23-2024 07:51 PM

Hi @Nithya Devi ,

Risks are scored during an assessment and then a rating is derived. Ratings are of three kinds: qualitative, semi-quantitative, and quantitative.

Qualitative rating

Qualitative risk assessments rely on the assessor's perceptions of the probability and impact of a risk. If the method is purely qualitative, then the ratings are based on the list values such as high, medium, or low. In this case, the risk scores do not roll up. Because this method has minimal mathematical dependency, qualitative risk assessment is easy and quick to perform. This method also enables an organization to take advantage of the assessor's experienced knowledge of the process or asset that is being assessed. Users who are new to risk assessments usually use this kind of rating.

The following figure shows an example of qualitative rating.
Qualitative risk assessment
SandeepDutta_0-1711248663462.png

Semi-quantitative rating

In a semi-quantitative rating, the qualitative ratings also have a corresponding numerical scale. For example, if the quantitative risk score is between 0-10, then the qualitative rating is low. Users who use this type of rating are not new to risk assessments. Most users belong to this category. In this category, the risk scores roll up and the risk appetite is qualitative in nature.

The following figure shows an example of semi-quantitative rating.
Semi-quantitative risk rating
SandeepDutta_1-1711248689580.png

Quantitative rating

A quantitative risk assessment focuses on data that is fact-based, measurable, and highly mathematical. In a quantitative risk rating that uses advanced simulation techniques, the risk is quantified in purely numerical terms. In this category, the risk appetite is quantitative in nature.